Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PHP SuperGlobal Variables Increasingly Targeted by Hackers

Hackers are increasingly trying to exploit PHP ‘SuperGlobal’ variables as a way to compromise their targets, according to a new report from Imperva.

Hackers are increasingly trying to exploit PHP ‘SuperGlobal’ variables as a way to compromise their targets, according to a new report from Imperva.

Over the course of May, Imperva identified 3,450 requests that manipulated PHP SuperGlobal variables targeting 24 web applications. These requests were generated by 27 different source IP addresses and appeared in the form of request burst floods with peaks of more than 20 hits per minute on a single application.

The source of one such attack examined by the company was traced to an Italian host server targeting two different applications. The host server did not have a malicious reputation, and in fact belonged to an Italian bank.

The firm also said it observed SuperGlobal variable manipulation occurring as part of large vulnerability scans performed by tools such as Nikto, Nessus and Acunetix. This demonstrates that SuperGlobal manipulation has become common practice integrated into security and hacking tool routines, Imperva observed.

The report also documents an attack on a vulnerable version of the PhpMyAdmin (PMA) utility.

“This utility is often bundled with other applications using the popular MySQL Database,” the report notes. “Having this vulnerable utility present on the server, even if it is not being used by the administrator, exposes the server to code execution attacks, and as a consequence, to full server takeover. Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. One way to achieve such an ‘opt out’ security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.”

“Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire Web,” said Amichai Shulman, CTO at Imperva, in a statement. “The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.”

According to Imperva, organizations can mitigate these attacks by adopting a “positive security model” that specifies the allowed parameter names for each resource, thereby preventing an attacker from sending out external parameters with the same name of internal variables and overriding the internal variables’ value. In addition, SuperGlobal parameters in requests should be blocked.

“Since there is no reason for these parameters to be present in requests, they should be banned,” the firm advised.

A copy of the report, part of Imperva’s Hacker Intelligence Initiative, is available here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.